[BUG] Keycloak admin user cannot see groups for cluster members #45496
Labels
area/rbac
kind/bug
Issues that are defects reported by users or that we know have reached a real release
priority/1
team/collie
the team that is responsible for auth and rbac within rancher
Milestone
Issue description:
An admin user can see only groups to which it belongs on keycloak. So in the Rancher scope, the admin cannot see groups assigned to a cluster, or that someone added to an administrator role.
Business impact:
One cannot see groups someone else may have assigned to the administrator role. This can result in permissions that are not desired, and this problem cannot be detected.
Repro steps:
add a group to a Cluster -> Cluster Members
log in with an administrator that does not belong to that group
You get Unable to fetch principal info
Workaround:
Is a workaround available and implemented? no
What is the workaround:
Actual behavior:
Administrators cannot see groups assigned to cluster memberships unless they are part of that group on keycloak
Expected behavior:
Administrators should be able to see groups assigned to clusters
The text was updated successfully, but these errors were encountered: